feat: add resend verification email (#340)

* docs: add resend verification email design spec

Design spec for adding a "Resend email" button to the Check Your Email
page, backed by a custom Payload CMS endpoint that regenerates
verification tokens and re-sends the email via AWS SES.

* docs: add resend verification email implementation plan

7-task TDD plan covering: shared email helper, endpoint handler,
i18n translations, sign-up redirect, and CheckYourEmail component
with 30-second cooldown resend button.

* feat: add shared verification email template helper

* refactor: extract verification email template to shared helper

* feat: add resend verification email endpoint

Implements POST /api/users/resend-verification Payload CMS endpoint that
generates a new token, updates the user record, and sends a verification
email — returning a generic success response in all cases to prevent
user enumeration.

* feat: add resend verification email i18n keys

* feat: pass email to check-your-email page via query param

* refactor: simplify verify-email formatting

Inline short parameter types and assertion strings for readability.

* feat: add resend verification email button with cooldown

Add resend button to CheckYourEmail component that calls the
/v1/api/users/resend-verification endpoint, with a 30-second cooldown
and countdown display after clicking. Install @testing-library/user-event
and cover all behaviour with 7 unit tests (TDD).

* style: reformat imports in check-your-email component and test

* fix(quality): resolve typescript:S7772 in resend-verification.ts (MINOR)

Use node: protocol prefix for crypto import.

* fix(quality): resolve typescript:S6759 and S7764 in check-your-email (MINOR)

Mark component props as read-only; use globalThis over global.

Author: mbarrenechea

client/package.json

@@ -139,6 +139,7 @@
     "@tanstack/eslint-plugin-query": "5.91.4",
     "@testing-library/jest-dom": "6.9.1",
     "@testing-library/react": "16.3.0",
+    "@testing-library/user-event": "^14.6.1",
     "@types/chroma-js": "2.4.5",
     "@types/geojson": "^7946.0.16",
     "@types/jest": "29.5.14",

client/pnpm-lock.yaml

@@ -17,13 +17,15 @@ export async function generateMetadata({
   };
 }
 
-export default async function CheckYourEmailPage(
-  _props: PageProps<"/[locale]/auth/check-your-email">,
-) {
+export default async function CheckYourEmailPage({
+  searchParams,
+}: PageProps<"/[locale]/auth/check-your-email">) {
+  const { email } = await searchParams;
+
   return (
     <section className="flex grow items-center justify-center">
       <div className="mx-auto w-full max-w-lg">
-        <CheckYourEmail />
+        <CheckYourEmail email={typeof email === "string" ? email : undefined} />
       </div>
     </section>
   );

client/src/app/(frontend)/[locale]/(app)/auth/check-your-email/page.tsx

@@ -7,6 +7,8 @@ import { auth, signOut } from "@/lib/auth";
 import { adminAccess } from "@/cms/access/admin";
 import { anyoneAccess } from "@/cms/access/anyone";
 import { userAccess } from "@/cms/access/user";
+import { buildVerifyEmailHTML, VERIFY_EMAIL_SUBJECT } from "@/cms/emails/verify-email";
+import { resendVerificationHandler } from "@/cms/endpoints/resend-verification";
 import { beforeDeleteUser } from "@/cms/hooks/user";
 import { or } from "@/cms/utils/or";
 
@@ -19,31 +21,13 @@ export const Users: CollectionConfig = {
   auth: {
     verify: {
       generateEmailSubject: async () => {
-        return "Verify your email address";
+        return VERIFY_EMAIL_SUBJECT;
       },
       generateEmailHTML: async (params) => {
-        // Use the token provided to verify your user's email address
-        const verifyEmailURL = `${env.NEXT_PUBLIC_URL}/auth/verify-email?token=${params.token}`;
-
-        return `
-          <!doctype html>
-        <html lang="en">
-          <head>
-            <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-          </head>
-          <body>
-            <h1>Email verification</h1>
-            <p>
-              Hello ${params.user.email},<br /><br />
-              Thank you for registering an account with AmazoniaForever360+!. Please verify your email address by clicking the link below:<br />
-              <a href="${verifyEmailURL}">Verify your email address</a><br /><br />
-              If you did not create this account, please ignore this email.<br /><br />
-              Thank you!<br />
-              AmazoniaForever360+ Team
-            </p>
-          </body>
-        </html>
-        `;
+        return buildVerifyEmailHTML({
+          email: params.user.email,
+          token: params.token,
+        });
       },
     },
     forgotPassword: {
@@ -133,6 +117,11 @@ export const Users: CollectionConfig = {
         });
       },
     },
+    {
+      path: "/resend-verification",
+      method: "post",
+      handler: resendVerificationHandler,
+    },
   ],
   hooks: {
     beforeDelete: [beforeDeleteUser],

client/src/cms/collections/Users.ts

@@ -0,0 +1,54 @@
+jest.mock("@/env.mjs", () => ({
+  env: {
+    NEXT_PUBLIC_URL: "http://localhost:3000",
+  },
+}));
+
+import { buildVerifyEmailHTML, VERIFY_EMAIL_SUBJECT } from "./verify-email";
+
+describe("verify-email", () => {
+  describe("VERIFY_EMAIL_SUBJECT", () => {
+    it("returns the expected subject line", () => {
+      expect(VERIFY_EMAIL_SUBJECT).toBe("Verify your email address");
+    });
+  });
+
+  describe("buildVerifyEmailHTML", () => {
+    it("includes the verification URL with the provided token", () => {
+      const html = buildVerifyEmailHTML({
+        email: "test@example.com",
+        token: "abc123",
+      });
+
+      expect(html).toContain("http://localhost:3000/auth/verify-email?token=abc123");
+    });
+
+    it("includes the user email in the greeting", () => {
+      const html = buildVerifyEmailHTML({
+        email: "test@example.com",
+        token: "abc123",
+      });
+
+      expect(html).toContain("test@example.com");
+    });
+
+    it("returns a complete HTML document", () => {
+      const html = buildVerifyEmailHTML({
+        email: "test@example.com",
+        token: "abc123",
+      });
+
+      expect(html).toContain("<!doctype html>");
+      expect(html).toContain("</html>");
+    });
+
+    it("includes the clickable verification link", () => {
+      const html = buildVerifyEmailHTML({
+        email: "test@example.com",
+        token: "token456",
+      });
+
+      expect(html).toContain('<a href="http://localhost:3000/auth/verify-email?token=token456">');
+    });
+  });
+});

client/src/cms/emails/verify-email.test.ts

@@ -0,0 +1,27 @@
+import { env } from "@/env.mjs";
+
+export const VERIFY_EMAIL_SUBJECT = "Verify your email address";
+
+export function buildVerifyEmailHTML(params: { email: string; token: string }): string {
+  const verifyEmailURL = `${env.NEXT_PUBLIC_URL}/auth/verify-email?token=${params.token}`;
+
+  return `
+    <!doctype html>
+  <html lang="en">
+    <head>
+      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    </head>
+    <body>
+      <h1>Email verification</h1>
+      <p>
+        Hello ${params.email},<br /><br />
+        Thank you for registering an account with AmazoniaForever360+!. Please verify your email address by clicking the link below:<br />
+        <a href="${verifyEmailURL}">Verify your email address</a><br /><br />
+        If you did not create this account, please ignore this email.<br /><br />
+        Thank you!<br />
+        AmazoniaForever360+ Team
+      </p>
+    </body>
+  </html>
+  `;
+}

client/src/cms/emails/verify-email.ts

@@ -0,0 +1,140 @@
+/**
+ * @jest-environment node
+ */
+
+jest.mock("@/env.mjs", () => ({
+  env: {
+    NEXT_PUBLIC_URL: "http://localhost:3000",
+  },
+}));
+
+jest.mock("@/cms/emails/verify-email", () => ({
+  VERIFY_EMAIL_SUBJECT: "Verify your email address",
+  buildVerifyEmailHTML: jest.fn().mockReturnValue("<html>mock email</html>"),
+}));
+
+import { buildVerifyEmailHTML } from "@/cms/emails/verify-email";
+
+import { resendVerificationHandler } from "./resend-verification";
+
+function createMockReq(body: Record<string, unknown>) {
+  return {
+    payload: {
+      find: jest.fn(),
+      update: jest.fn(),
+      sendEmail: jest.fn(),
+    },
+    json: jest.fn().mockResolvedValue(body),
+  } as unknown as Parameters<typeof resendVerificationHandler>[0];
+}
+
+describe("resendVerificationHandler", () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it("returns 400 when email is missing", async () => {
+    const req = createMockReq({});
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(json.message).toBe("Invalid email address.");
+  });
+
+  it("returns 400 when email is invalid", async () => {
+    const req = createMockReq({ email: "not-an-email" });
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(json.message).toBe("Invalid email address.");
+  });
+
+  it("returns generic success when user is not found", async () => {
+    const req = createMockReq({ email: "unknown@example.com" });
+    (req.payload.find as jest.Mock).mockResolvedValue({ docs: [] });
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(json.message).toContain("If an account exists");
+    expect(req.payload.sendEmail).not.toHaveBeenCalled();
+  });
+
+  it("returns generic success when user is already verified", async () => {
+    const req = createMockReq({ email: "verified@example.com" });
+    (req.payload.find as jest.Mock).mockResolvedValue({
+      docs: [{ id: "1", email: "verified@example.com", _verified: true }],
+    });
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(json.message).toContain("If an account exists");
+    expect(req.payload.sendEmail).not.toHaveBeenCalled();
+  });
+
+  it("generates a new token, updates user, and sends email for unverified user", async () => {
+    const req = createMockReq({ email: "unverified@example.com" });
+    (req.payload.find as jest.Mock).mockResolvedValue({
+      docs: [{ id: "42", email: "unverified@example.com", _verified: false }],
+    });
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(json.message).toContain("If an account exists");
+
+    // Verify token was updated
+    expect(req.payload.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        collection: "users",
+        id: "42",
+        data: expect.objectContaining({
+          _verificationToken: expect.any(String),
+        }),
+        overrideAccess: true,
+      }),
+    );
+
+    // Verify the token is a 40-char hex string (20 random bytes)
+    const updateCall = (req.payload.update as jest.Mock).mock.calls[0][0];
+    expect(updateCall.data._verificationToken).toMatch(/^[a-f0-9]{40}$/);
+
+    // Verify email was built with the new token
+    expect(buildVerifyEmailHTML).toHaveBeenCalledWith({
+      email: "unverified@example.com",
+      token: updateCall.data._verificationToken,
+    });
+
+    // Verify email was sent
+    expect(req.payload.sendEmail).toHaveBeenCalledWith({
+      to: "unverified@example.com",
+      subject: "Verify your email address",
+      html: "<html>mock email</html>",
+    });
+  });
+
+  it("returns 400 when request body is not valid JSON", async () => {
+    const req = {
+      payload: {
+        find: jest.fn(),
+        update: jest.fn(),
+        sendEmail: jest.fn(),
+      },
+      json: jest.fn().mockRejectedValue(new Error("Invalid JSON")),
+    } as unknown as Parameters<typeof resendVerificationHandler>[0];
+
+    const response = await resendVerificationHandler(req);
+    const json = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(json.message).toBe("Invalid request body.");
+  });
+});